table

Description

The table command returns a table that is formed by only the fields that you specify in the arguments. Columns are displayed in the same order that fields are specified. Column headers are the field names. Rows are the field values. Each row represents an event.

The table command is similar to the fields command in that it lets you specify the fields you want to keep in your results. Use table command when you want to retain data in tabular format.

With the exception of a scatter plot to show trends in the relationships between discrete values of your data, you should not use the table command for charts. See Usage.

Syntax

table <wc-field-list>

Arguments

<wc-field-list>

Syntax: <wc-field> <wc-field> ...

Description: A list of field names. You can use wild card characters in the field names.

Usage

Visualizations

Other than a scatter plot, you should not use the table command for visualizations. Splunk Web requires the internal fields, which are the fields that begin with an underscore character, to render the visualizations. The table command strips these fields out of the results by default. To build visualizations, you should use the fields command instead. The fields command always retains all the internal fields.

Command type

The table command is a non-streaming command. If you are looking for a streaming command similar to the table command, use the fields command.

Field renaming

The table command doesn't let you rename fields, only specify the fields that you want to show in your tabulated results. If you're going to rename a field, do it before piping the results to table.

Truncated results

The table command truncates the number of results returned based on settings in the limits.conf file. In the [search] stanza, if the value for the truncate_report parameter is 1, the number of results returned is truncated.

The number of results is controlled by the max_count parameter in the [search] stanza. If truncate_report is set to 0, the max_count parameter is not applied.

This example begins with a search for all recent earthquakes in Northern California (Region="Northern California").

Then it pipes these events into the rename command to change the names of the coordinate fields, from lat and lon to latitude and longitude. (The table command doesn't let you rename or reformat fields, only specify the fields that you want to show in your tabulated results.)

Finally, it pipes the results into the table command and specifies both coordinate fields with lat*, lon*, the magnitude with mag, and the date and time with time.

This example just illustrates how the table command syntax allows you to specify multiple fields using the asterisk wildcard.

Example 3

This example uses the sample dataset from the tutorial but should work with any format of Apache Web access log. Download the data set from the Add data tutorial and follow the instructions to get the sample data into your Splunk deployment. Then, run this search using the time range, All time.

This example searches for Web access data and uses the dedup command to remove duplicate values of the IP addresses (clientip) that access the server. These results are piped into the eval command, which uses the cidrmatch() function to compare the IP addresses to a subnet range (192.0.0.0/16). This search also uses the if() function, which says that if the value of clientip falls in the subnet range, then network is given the value local. Otherwise, network=other.

The results are then piped into the table command to show only the distinct IP addresses (clientip) and the network classification (network):

More examples

Example 1: Create a table for fields foo, bar, then all fields that start with 'baz'.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »